What is SSH?
Let us start with what is SSH? What is agent? And why we use it. SSH stands for Secure Shell which is a cryptographic network protocol for operating network services securely over an insecure network. It is an Application Layer Protocol which is the seventh layer of the OSI model. The Application layer support several other services such as Telnet, SMTP, file transfer, web surfing, web chats, email clients, network data sharing, virtual terminals and various files and data operations.
How Do SSH Work?
SSH connects from a client applications such as Putty to an SSH server such as OpenSSH Server. SSH was designed to be a replacement for telnet which is also an application layer protocol due to security reasons as Telnet sessions were unencrypted; which sent all the information in plain text.
What are the Uses of SSH?
SSH can be used to transmit data commands, text, and even files (Uses SFTP which is an encrypted version of FTP) in encrypted form which makes man in the middle attacks not possible. SSH works world wide provided that the port number on server is correctly port forwarded. It can also work and a bunch of different platforms such as windows, linux, and also any of the devices that runs linux and have an SSH Server installed such as android, routers, switches, MAC, I Phone etc
Problems with Remote Access Using SSH
Most of us are facing a common problem of not being able to access office PC or any local device for that matter since they are behind some kind of very restrictive corporate firewall, or behind a router. For most of us, our office PC is behind a firewall which is connected to Internet. The problem here is, it wont allow any incoming traffic from the Internet to the internal network by default. Which means you can connect remote hosts on Internet from your office PC connected to the office internal network, but remote devices wont be able to connect to your office PC or ssh without port forwarding.
This is a massive headache if you have to access your files and other materials from within our office PC from your home network and/or SSH without Port Forwarding. A solution? Well there are various methods to connect to a device behind a router/firewall.
- Adding a Firewall Rule
Add a firewall rule that accepts connection from a specific remote IP address to a specific port and redirect it to your office PC allows you to ssh without port forwarding.
Port Forwarding is a mechanism that is used to permit an external device access to services on local networks / private networks. Port forwarding is a technique used by devices such as routers used to seperate overall network traffic thereby improving overall network speed and provide a definite path for different data to reach their destination. To better understand port forwarding, it would good if we take a closer look at the IP Address and working of the internet.
Types of IP Address
There are mainly 2 types of IP address.
Public IP and Private IP
Public IP address is an IP address that can be accessed over the Internet. This IP address is unique throughout the internet.
Private IP address are addresses that are assigned to computers within your private network or LAN. This IP address is unique to a network. Private IP addresses are not directly exposed to the Internet. That means we cannot access any device outside our LAN using its private IP address.
If we want internet connection in our home, we contact an ISP. ISP is an Organization that provides us access to the internet. For example Asianet , BSNL etc. ISP gives us an IP address which can be used for accessing the internet. Modem simply demodulates the incoming packets and modulates the outgoing packets. If we have a single PC, we can directly connect modem to that PC.
In the case of SSH connections, from some one outside the LAN, they will use your public IP to connect your network. In the router you configure port forwarding and tell you router that "If any packets is received through port 22 (default port used by SSH), forward it to <my_private_IP>".
This way you can establish a connection to a machine with in the local network from the internet.
- Reverse SSH
As mentioned earlier, the firewall rejects ssh connection that an external machine is trying to establish with the remote machine. But what if the connection requset is originating from the remote host behind the network? The firewall will let the connection request to pass through it. This is what we do in Reverse SSH. This method is can also allow you to ssh without port forwarding. This is a big topic and will be discussed in the future post.
Ngrok is an service that enables us to connect to any device (inside LAN or internet facing) through any network with out port forwarding. One key advantage of using ngrok is that, you dont have to be local network as your device to access them. You can SSH without Port Forwarding, use FTP or access a webserver on your local network using ngrok.
So How does Ngrok Work? Well, the work of Ngrok has been clearly explained in the previous post. If you are interested in learning more about it, you can click here. Now you know what ngrok is and what it can do. Let us use Ngrok to set up the Office PC to accept SSH without port forwarding from a remote device.
Before diving into the main content, I will be a good idea to know a little bit about SSH. SSH is also known as Secure Socket Shell. SSH is a protocol that enables users to access a remote PC in a secure manner. SSH do this by providing a strong authentication mechanism and encryption mechanism to encrypt the data that is being transferred between two computers. Even though we are using insecure networks such as public WiFi networks or library networks, we are still safe due to the encryption provided by SSH. Even if the attacker sniff the traffic, he finds nothing but gibberish and scrambled data. Without the key, he wont be able to decrypt it. SSH is widely used by network administrators for logging into remote systems and access data and resources, access remote applications execute commands in remote devices.
SSH without Port Forwarding
Here, I will show you a simple example using ngrok. I will start SSH server (port 22) on my Office PC inside the office network, set up ngrok on my office PC and SSH it from outside the LAN using the Ngrok link.
Step 1 – Set up an Account
Follow this link and create an Account in Ngrok.
Once you complete Sign up Process, you will be provided with an ‘authtoken’ which can be used to connect your Raspberry Pi to your Ngrok account. Take a note of it.
Step 2 – Download Ngrok
If everything goes well, you will see a file named “ngrok”
Step 3 – Connect your Account
Run the below command to set your ‘authtoken’
Step 4 – Start ngrok
Now you can run ngrok
./ngrok TCP 22
Now you will see something like this
Web Interface http://127.0.0.1:4040 Forwarding tcp://0.tcp.ngrok.io:36428 -> localhost:22
The above line indicates that any connection to '0.tcp.ngrok.io' to port 36428 will be redirected to the machine in which it is running to port 22.
Step 5 – Connect to your Office PC from a Remote PC
Now you can easily connect your device from a remote computer using the command
ssh email@example.com -p 36428
Thats it. You will be connected to the office PC in no time. This is how you ssh without port forwarding.